If I understand this correctly we need a public IP as well as a domain with SSL cert to use synthetic monitoring. But at the end of the posted link is written that a public IP is enough. So my first question would be, is a public IP enough or not?

My second question is more important. Do we really need to open up the port 443 for the public security gateway? My customer has security concerns on that or will there be a 2-way-tls handshake after generating the cert in the management console? We really want to use the same host on which the Dynatrace Server is located but it looks like this won't be possible due to security.

3 Replies

To address our security concerns we installed the security gateway on a separate server in our internal network and setup a proxy server in the DMZ then only opened port 9999 between the internet and DMZ and port 9999 between the DMZ and the security gateway.

The security gateway then serves two purposes; handling the internet traffic and consolidating traffic in our environment to the Dynatrace Managed server.

The management console allows you to generate separate certificates for both the Server/UI and the Public Security Gateway, so you only need the public IP, Dynatrace will generate the domain name and the certificate and manage that for you.

As for your question around the certificate, port and handshake, I'm not entirely sure, but I would speculate that port 9999 would be used even if installed on the same server, and a different certificate would also be used.

Dynatrace recommends having security gateway even if it's not made public, we actually installed 3 of them on various existing servers, just to have some redundancy without making the Dyantrace server itself redundant. *NOTE: If you do this and make one of them public, Dynatrace will "complain" that all of them should have a public IP, but we are just living with the warning. This is because Dynatrace manages the domain name and certificate for the public IP.

Attachments:
Up to 10 attachments (including images) can be used with a maximum of 52.4 MB each and 262.1 MB total.

Answer by
Stephan D.·
Apr 06, 2018 at 12:52 PM

I talked with the Dynatrace support yesterday and indeed only the port 9999 is needed for outbound traffic, not 443. 443 is only mentioned in the documentation to clarify, that this is a https connection. That was a little bit missleading.

Further I was told that it is possible to restrict incoming requests to 9999 by IP's of those data centers I would like to make the synthetic checks.

One additional IP you can add is from Davis (52.0.97.215 from our logs). Giving you external Chat-Bot capabilities that are at least fun to play with. Interesting both from the Davis web client and the Alexa skill.

Answer by
Prashant S.·
Apr 06, 2018 at 02:54 AM

Hi Matthew I have question on this . We want to use public gateway for mobile application .What If I installed public security gateway on server located in DMZ itself instead of having proxy server .And from Security gateway server I will open port 8443 to our manage server . Will this work for my solution .

Hi Matthew one more question on this . User want to use new dynatrace alert feature which we can see on dynatrace mobile application . Do we need Public gateway in that case.How should it be setup ideally.